#auth

Law enforcement authorities in Europe have arrested five suspects in connection with an "elaborate" online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain. According to Eurojust, the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Newly released data shows Customs and Border Protection funneled the DNA of nearly 2,000 US citizens—some as young as 14—into an FBI crime database, raising alarms about oversight and legality.

A lack of restrictions allowed data hoarders to steal sensitive and copyrighted material from the AAPB website for years.

SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects

Austin, Texas, USA, 23rd September 2025, CyberNewsWire

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: CLICK PLUS Vulnerabilities: Cleartext Storage of Sensitive Information, Use of Hard-coded Cryptographic Key, Use of a Broken or Risky Cryptographic Algorithm, Predictable Seed in Pseudo-Random Number Generator, Improper Resource Shutdown or Release, Missing Authorization 2. RISK EVALUATION Successful exploitation of these vulnerabilities disclose sensitive information, modify device settings, escalate privileges, or cause a denial-of-service condition on the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following AutomationDirect products are affected: CLICK PLUS C0-0x CPU firmware: Versions prior to v3.71 CLICK PLUS C0-1x CPU firmware: Versions prior to v3.71 CLICK PLUS C2-x CPU firmware: Versions prior to v3.71 3.2 VULNERABILITY OVERVIEW 3.2.1 Cleartext Storage of Sensitive Information CWE-312 Cleartext storage of sensitive information...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: SESU Vulnerability: Improper Link Resolution Before File Access ('Link Following') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary data to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric SESU: <3.0.12 Schneider Electric SESU installed on Schneider Electric BESS ANSI: SESU versions prior to 3.0.12 Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P30: SESU versions prior to 3.0.12 Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P40: SESU ve...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3.1 6.8 ATTENTION: Exploitable remotely Vendor: Mitsubishi Electric Equipment: MELSEC-Q Series CPU module Vulnerability: Improper Handling of Length Parameter Inconsistency 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC-Q Series CPU modules are affected: MELSEC-Q Series Q03UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q04UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q06UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q13UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q26UDVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q04UDPVCPU: The first 5 digits of serial No. '24082' to '27081' MELSEC-Q Series Q06UDPVCPU: The first 5 digits of serial No...